It would be nice if a large company with millions of peoples sensitive information actively challenged their own network security rather than depending on their software to do the job for them.
While I dont disagree, you will find a lot of surprisingly large companies do not do that, or even hire people to do that for them particularly since the GFC. Since the GFC most companies have put less into IT infrastructure which means there are cutbaks somewhere. Companies that do actually do this simply DO NOT do it often enough. Hell some of the worlds major banks are in a very precarious position security wise and trust me when I say they get breached or at least partially compromised regularly and often it takes months for them to work it out or a customer has to complain about something untoward.
I often think that if it wasnt for Visa/Mastercard and the other major credit instituions forcing banks to upgrade various aspects of their security so they can remain agents of these credit companies that a whole lot less would be gettign done. By now all banks should be issuing only cards with the unique CHIP's embedded in them to prevent card cloning and also issuing customers with the physical electronic security chit/key thing for online banking security.
But yes I am less than impressed that my personal information (I dont use PSN for purchases) is now floating around the net.
maybe its poor wording but I was meaning that they should hire people who are capable of monitoring "known vulnerabilities" and keeping up to date on these "known vulnerabilities"
As it was discussed already, "known vulnerability" does not mean it can be easily fixed, if even at all, nor that there were no security measures regarding the vulnerability put in place.
Hiring someone to monitor their system? Like...seriously? Do you think that someone is going to sit at the computer watching the 'traffic'?
Actually there is some pretty decent hardware and of course software out there to do this for you and you set tolerances for it to report discrepancies or aberation on to someone.
It can be done but again there is a cost, there is time and of course in a massive network there would need to be a major infrastructure change so that customer connection/service does not change in any way when monitoring all traffic (which does have an impact on things like speed)
Nothing is foolproof though and as always a system is only as strong as its weakest link (which is most often the users/sysadmins).
Right but Sony was not aware of it, the vulnerability was speculation among the security sectors and Sony was not convinced of it's vulnerability, so they were not aware of it till they got hacked. I know it sounds moronic but it's like having a unsinkable submarine built, your sub was built as unsinkable then you dive 2000 feet and see a small leak and avoid paying any attention to it because you know you have a unsinkable submarine but in fact 10 more feet down the sub blows up because you refused to believe you didn't have the best for the job.
I still don't blame Sony from this, cause what Shiro has said and what was confirmed by the AP and other Asian news sources on Sony. The vulnerability was so small only a handful of people known about it and Sony was not aware of it till it was to late. At least that is what I have read so far.
I posted that, because people (Gdemami) keep saying that it was not a known vulnerability that was exploited.
That exploit wasn't some small unknown secret hole in apache servers. All reports so far point to Sony running apache servers that were exposed to the internet without proper A) patching and firewalls.
For all the talk about doing as much as possible, installing a security patch is step zero. It makes any other claims hard to believe when that isn't even done.
Here is someone talking about the vulnerabilities back in February. He talks about probing the network and discovering many unpatched servers, lack of proper insulation from outside attack (firewall/vpn), etc. LINK
Honestly if Sony was keeping their security up to date and not half-assing it, then they wouldn't need to have taken their service offline for so long and need to rebuild it from the ground up. That alone indicates that things were a complete mess.
Sony did have it's servers and security up to date. They also had 3 firewalls on the personal information database which got hacked for several days without tripping any detection, these hackers were damn good to be able to stay in and for that long before a major Corporation noticed.
They have taken the services offline now for as long as they have because they said that there was hidden code planted inside that they found in one spot, going over everything and whatever else is going to take coders, programmers, security, FBI, or whoever else a long while to sort through it all to make sure nothing is there when they fire back up.
Also pretty sure since these hackers got through 3 firewalls and all that that Sony security is betting there could be hidden someplace they wouldn't expect, leading to even further downtime like I said to go through it all. Then they have to apply new securities, new firewalls, new server farm potentially with newer hardware and then TEST it all to make sure it's working.
Since we have no further details then what is listed then we have no idea if it's more complicated, they could of deleted shit we never know.
Most likely if the attack was that far reaching machines will be nuked of non esential data and rebuilt with fresh OS/Drivers/software and then eventually essential data once it has been scrutinised.
More than anything I think this whole incident is a wakeup call to corporations and to customers to start thinking a lot harder about their data security. The number of people with multiple CC's who didnt know which card they had registered on PSN is just staggering. I mean seriously.... if you have 3 credit cards and are security minded but forced to use a CC online where there is no other choice just use the same card everywhere and be done with it..... it leaves you so much less exposed to harm from shit like this. That and how people continually stupidly use the same passwords in multiple internet locations....
Maybe I am asking too much, I do work in Enterprise IT and 90% of users I encounter are as dumb as a sack full of hammers.
Yes all true and the hard part is convincing people how to do the responsible things to keep themselves even more secure.
I myself have even recently changed banks. Yes I went so far as to do that because I heard that my institution was not signed up for and did not support the new mastercard securecode and never offered me Visa verified and I did not feel like they took my security serious enough considering even though my card information did not get out that with the information tha did it was time to move where they cared more about my secuirty then how much their custumers had in their accounts.
The way I look at it is that it is time to use my common street smarts as well as common sense since we seem to be getting the same kind of criminals online now.
If they were paid to watch network traffic.. why not?
With no offense but I had to laugh so hard on this one... Sorry, but your perception how network security works is very very naive.
I'm sure its more complicated than staring at a pressure dial at a power plant..
but the concept is the same... a person to monitor for large irregularities.. like say downloading 77 million peoples account information
Sorry for my short, not much explaining reply but I am currently a bit busy and do not have enough time that proper reply would deserve.
What you talk about is tens or hundreds thousands of connections and events at any given time. It's so much information that at the end there is nothing to see.
Human factor plays a different role here - it's not there to monitor the traffic but manage devices and software watching the network traffic. It's very complex as security of the network has different layers and aspects.
What network monitoring is about is setting sophisticated set of filters, rules and profiles on your security devices and software. That applies to firewalls that watch the inbound traffic and IP/DS (Intrusion Prevention and/or Detection System) that use highly sophisticated methods - such as statistical irregularities, to monitor not the connection but events within the system. If there is a behavior corresponding with a profile of malicious or unauthorized activity, action is taken automatically and/or personnel is notified.
Even if you use all those systems, it boils down to nature of the intrusion.
I personally like the concept of firewall-free systems because like in saying:
Sony chief information officer, Shinji Hasejima said "The vulnerability of the network was a known vulnerability, one known of in the world. But Sony was not aware of it... was not convinced of it. We are now trying to improve aspects of it."
Honestly if Sony was keeping their security up to date and not half-assing it, then they wouldn't need to have taken their service offline for so long and need to rebuild it from the ground up. That alone indicates that things were a complete mess.
There are just too many rumors flying around about this, what's worse is they're being used as facts or at least seemingly so. Here's a few reports that knock almost all of them down.
Believe what you want of course, but at least take in all info before making such broad accusations.
I am as disgruntled as the next guy when it comes to SOE/Sony, but I hate false information even more.
Passwords weren't in Plain text.. They were hashed.
As far as known vulnerabilities go, maybe they're guilty of ignoring them, they basically say as much. They don't exactly say what those vulnerabilities were though, or whose software they were apart of, at least that I've seen or read. Say they were on Apache's end, is SOny responsible for that?
If Sony firewalls and security were up to date, then there would be no known vulnerability to be exploited. One sort of makes the other impossible. Sony flat out admitted that it was a known vulnerability that was exploited. An exploit that the rest of the world knew about.
A lot of databases were compromised by the intruders. There was far to much information in clear text. Even beyond passwords.
Read the Sony statements really carefully and tell me if they don't leave loopholes open.
If by Reports you mean rumours then you are half right. All this talk of unpatched servers is complete crap & media frenzy of people repeating rumours as gospel.
You can read the whole thing over on bitmob but a particularly angry PSN user checked into this and well here is a quote:
"As it turns out, it is fairly simple to use Google's webcache to show what version of Apache the PSN servers were using back in March. According to a page request archived by Google on March 23, 2011, at that time Sony was running version 2.2.17 of the software. You can see from Apache's website that 2.2.17 is the latest stable version of the webserver available even today. This is a direct repudiation of the claims being made that Sony's webservers were out of date by as much as five years."
So with that in mind lets all see if we can't stop propagating the same rumour that has been proven to be false.....
I am as angry about the outage as any PS3 owner but the ammount of "so called experts" on websites & forums accross the internet right now talking out their arses is out of control.
Sonys chief information officer admitted that the hackers got in through a known exploit. One that was patched away by the rest of the world. If the Sony servers had a known exploit vulnerable that means they were not up to date, agreed?
There are also several reports prior to the hacking of people probing the PSN network and discovering a variety of different patch levels on their exposed web servers.
As for the google tests, there are thousands of servers running at the PSN. Did they test them all? Are all the PSN servers even logged at that site? I did read the bitmob piece and thought it had a lot of unanswered questions and leaps in logic to reach a conclusion.
In conclusion, people were saying the PSN servers were not up to date and the mechanisms protecting the network were lackings. Sonys chief information officer admits there servers were running known vulnerabilities. At this point it really isn't rumor anymore and some guy doing google searches really doesn't disprove that.
If the Sony servers had a known exploit vulnerable that means they were not up to date, agreed?
No. That is your invalid assumption only.
Still trying to argue that the Sony network was secure I see.
One the one hand we have your one liners, unrelated classroom theories and gross generalization.
On the other hand we have admission from Sony, Congressional testimony, Hackers pointing out the unpatched nature of the servers months ago and that actual breach of the entire PSN/SOE network through the previously mention known vulnerabilities.
Just because you say it is invalid, doesn't make it so. Especially when that is all you have to reinforce your claims.
Sony chief information officer, Shinji Hasejima said "The vulnerability of the network was a known vulnerability, one known of in the world. But Sony was not aware of it... was not convinced of it. We are now trying to improve aspects of it."
Ok where in that statement did it say that the REST of the world knew about this vulnerability? All it says is known of the world not by the REST of the world therefore you are putting words into their mouths and spreading rumors.
Just because a statement says something is known of the world does not mean the entire world. I think what they we trying to get at in this statement is that there were some people who knew of this vulnerability not everyone and that is how this hack happened in the first place. And i guarantee you if EVERYONE in the world knew about it Sony would have too. And so would have obviously the makers and would have fixed this problem and some vulnerabilities I am sure were made obvious when the guy that they sued hacked into his machine and changed a legally pantented piece of hardware. Which in turn could have compromised Sony.
Pantenting has ALWAYS been something that legally protects something that someone invented from being changed. SO all of you out there defending this hacker think about if you had invented something and sold it, this item being patented and then as soon as the public got a hold of it decided that they were just going to change things in your invention after you spending years on making it the way it was. People just do not seem to get what it means when you change coding and such into a patented thing. It is no different than taking an artist's painting or an author's book and starting to paint or rewrite over and mess up the original painting or book which in turn makes that painting worthless. Would you all do that? Heck no because you would not be able to ever resell that painting for 10 of thousands of $s would you? Or millions depending on what it is worth. And you would never do it to a book because it is ilegal I believe it is called Plagarism. To use something that someone else wrote and try to change some of it but copy other parts.
This is what people do not seem to understand in this situation is that he weakened their system in the first place. And then Anonomous decides to take revenge on Sony JUST Like they did last year on Mastercard and Visa and cause a denial of service and guess what.... That denial of service had Mastercard and Visa both froze up for hours. So while Anonymous was doing this and the system was frozen up the people who stole our personal information and the system was not able to read this second hack due to this denial of service.
This is what the 8 page letter to the courts said from Sony was what I said above.
No I am not saying that this is ironclad or anything this is what I derived at after researching and reading everything I could about prior hacks and read about that. This is just my thoughts on this.
I think the point here is that Sony decided to save some money on network security rather than using the billions they have to implement a system impenatrable by low budget hackers (comparatively, Sony has more money than these hackers do).
Most people go through life pretending to be a boss. I go through life pretending I'm not.
To find out if this was anonymous or not, all you have to do is go and ask them. They won't lie to you.
IT IS NOT ANONYMOUS. I don't know what IRC room they heard this in but it wasn't anonymous saying. It's quite possible they use anonymous IRC servers to talk though, as anyone and everyone is welcome to chat on them as long as they are anonymous while doing so.
It is not anonymous' message to steal things or hurt the everyday man. Anonymous fights for freedom of speech, and against the lies of scientology. This is clearly niether.
Akaronia I believe you might have the wrong idea about a patent?
A patent protects an idea, concept, or physical item based on its design. The intent is that the patent owner desrves credit for his idea/design. Now if you buy a patented item, you physically bought the item and are able to do what you wish with that particular item. You own it. If you want to change it, or draw in the book with a marker, or go crazy "Office Space" with it in a field somewhere you can do that because you own that physical piece you bought. But you can't change something and then resell it, or market it, or do anything outside of own it with out written permision of the original owner. You can't reproduce the item in any form, you are only allowed to use the pyhsical Item you own in any legal way you see fit.
Now if the hacker who moddified his PS3 to do something unintended on the PS3 network, or go beyond just the physical limits of his personal PS3 then there might be legal issues. I'm not fimilar with the case, only ever over heard comments about it. Moddifying a console you physically own is as far as I know legal, but doing it as a service for a unit you don't own is illegal, also the moment you use a moddified system on the PSN you cross into an illegal area of use. As I'm sure their TOS cover that kind of thing.
The big problem is that its easy to use law on something that is physical, but once you step into the world of ideas, and cyber space, legal issues are much harder to protect/understand for both parties, especially the general public if they are brought into a court case.
In the worlds of my Technology Deprived Grandmother. "Global warming is caused by space ships pokeing holes in the atmosphere and letting the heat of the sun into our skies".....ugh....
Ok where in that statement did it say that the REST of the world knew about this vulnerability? All it says is known of the world not by the REST of the world therefore you are putting words into their mouths and spreading rumors.
Just because a statement says something is known of the world does not mean the entire world. I think what they we trying to get at in this statement is that there were some people who knew of this vulnerability not everyone and that is how this hack happened in the first place. And i guarantee you if EVERYONE in the world knew about it Sony would have too. And so would have obviously the makers and would have fixed this problem and some vulnerabilities I am sure were made obvious when the guy that they sued hacked into his machine and changed a legally pantented piece of hardware. Which in turn could have compromised Sony.
Sony said it had a known exploit live and that is how the hackers got in. Hackers and security experts have all stated that the Sony servers were not properly patches or isolated from the internet.
You can squabble if the rest of the entire world knew it or it was well known enough that it was already patched. The end result is just the same. Sony servers were not properly secured and the CIO admits as much in his statement. 2 points to him for actually being honest.
It wasn't anonymous, Sony was stupid and the hackers are not being glorified.
Ah finally someone teaches them a lesson after what SoE pulled with the NGE
If you are interested in subscription or PCU numbers for MMORPG's, check out my site : http://mmodata.blogspot.be/ Favorite MMORPG's : DAoC pre ToA-NF, SWG Pre CU-NGE, EVE Online
I'm not saying the servers firewall's were out of date.. or if they were up to date.. I don't know
what i do know is some sony employees told that purdue professor some gossip that they weren't so it seems plausible.
For the sake of argument.. even if the servers were out of date.. Sony would never reveal that information.. they would use political clout to steer politicians away from criminal negligence and move toward a civil settlement.
Sony has admitted it was a known vulnerability.. but I haven't seen them yet admit the servers were out of date.
Akaronia I believe you might have the wrong idea about a patent?
A patent protects an idea, concept, or physical item based on its design. The intent is that the patent owner desrves credit for his idea/design. Now if you buy a patented item, you physically bought the item and are able to do what you wish with that particular item. You own it. If you want to change it, or draw in the book with a marker, or go crazy "Office Space" with it in a field somewhere you can do that because you own that physical piece you bought. But you can't change something and then resell it, or market it, or do anything outside of own it with out written permision of the original owner. You can't reproduce the item in any form, you are only allowed to use the pyhsical Item you own in any legal way you see fit.
Now if the hacker who moddified his PS3 to do something unintended on the PS3 network, or go beyond just the physical limits of his personal PS3 then there might be legal issues. I'm not fimilar with the case, only ever over heard comments about it. Moddifying a console you physically own is as far as I know legal, but doing it as a service for a unit you don't own is illegal, also the moment you use a moddified system on the PSN you cross into an illegal area of use. As I'm sure their TOS cover that kind of thing.
The big problem is that its easy to use law on something that is physical, but once you step into the world of ideas, and cyber space, legal issues are much harder to protect/understand for both parties, especially the general public if they are brought into a court case.
In the worlds of my Technology Deprived Grandmother. "Global warming is caused by space ships pokeing holes in the atmosphere and letting the heat of the sun into our skies".....ugh....
Ye i think thats the all point of that affair, somehow sony managed to make their potent go outside the usual limit potent have, is it just to protect their product or to be able to sue such hacker as that young 17 years old that hacked the PSN, i don't know, most certainly both.
Ok where in that statement did it say that the REST of the world knew about this vulnerability? All it says is known of the world not by the REST of the world therefore you are putting words into their mouths and spreading rumors.
Just because a statement says something is known of the world does not mean the entire world. I think what they we trying to get at in this statement is that there were some people who knew of this vulnerability not everyone and that is how this hack happened in the first place. And i guarantee you if EVERYONE in the world knew about it Sony would have too. And so would have obviously the makers and would have fixed this problem and some vulnerabilities I am sure were made obvious when the guy that they sued hacked into his machine and changed a legally pantented piece of hardware. Which in turn could have compromised Sony.
Sony said it had a known exploit live and that is how the hackers got in. Hackers and security experts have all stated that the Sony servers were not properly patches or isolated from the internet.
You can squabble if the rest of the entire world knew it or it was well known enough that it was already patched. The end result is just the same. Sony servers were not properly secured and the CIO admits as much in his statement. 2 points to him for actually being honest.
It wasn't anonymous, Sony was stupid and the hackers are not being glorified.
SO this just amazes me as to how nawadays we protect and defend vigilantes who hacked into our credit card companies because our credit card companies were protecting our security by denying a service to a compnay because they found them to be doing ilegal things?????
And guys I don't care what Anonymous says in any book they are criminals and you can not believe anything a criminal says while they are still in denial that they are infact a criminal. Now after the fact that they have reformed maybe they become honest in what they say. But the fact is here Anonymous is in denial that they do anything wrong even though they are vigilante criminal minds who think they can be Robin Hood!!!!!!!! So ask me to believe them again. I dare you.
You really think that even if someone in their organization was involved in this without them knowing at the time then when they found out they would not protect them? I have news criminals protect one another period and especially if there is any kind of connection clouding their judgement.
It is the same as an alcoholic that is in denial of his disease. No different until he is reformed from that disease or in remission. Until you have actually interacted with enough criminals in denial you may not know this. No I am not saying they can not get out of denial and hopefully someday be upstanding citizens who are actually helpful in our comminuty as whole but as long as they are in denial of their problem you can not believe anything they say.
If you have any information that this was indeed the work of Anonymous or some other hackers, then lets hear it. I'll gladly join arms with you and chant for them to be burned at the metaphorical stake, because that is what they deserve.
Regardless of your views of anonymous for their past actions, based on the information available, they did not do this. Even if somehow they did, it doesn't absolve Sony for their multiple security failures.
If you have any information that this was indeed the work of Anonymous or some other hackers, then lets hear it. I'll gladly join arms with you and chant for them to be burned at the metaphorical stake, because that is what they deserve.
Regardless of your views of anonymous for their past actions, based on the information available, they did not do this. Even if somehow they did, it doesn't absolve Sony for their multiple security failures.
I never once said that they did this. What they did do was make it possible for the hackers who did do this to steal from Sony without their security detecing it becaue they had Sony Servers frozen up in a denial of service...
So with this note I will leave this thought if Sony is guilty then Anonymous is just as guilty for their actions which allowed the denial of service to where their security system did not read whoever did this abominable crime period.
If you have any information that this was indeed the work of Anonymous or some other hackers, then lets hear it. I'll gladly join arms with you and chant for them to be burned at the metaphorical stake, because that is what they deserve.
Regardless of your views of anonymous for their past actions, based on the information available, they did not do this. Even if somehow they did, it doesn't absolve Sony for their multiple security failures.
I never once said that they did this. What they did do was make it possible for the hackers who did do this to steal from Sony without their security detecing it becaue they had Sony Servers frozen up in a denial of service...
I could be wrong.. but from my understanding
Denial of service isn't selective.. it deny's service to everybody.. including would be hackers?
If you have any information that this was indeed the work of Anonymous or some other hackers, then lets hear it. I'll gladly join arms with you and chant for them to be burned at the metaphorical stake, because that is what they deserve.
Regardless of your views of anonymous for their past actions, based on the information available, they did not do this. Even if somehow they did, it doesn't absolve Sony for their multiple security failures.
I never once said that they did this. What they did do was make it possible for the hackers who did do this to steal from Sony without their security detecing it becaue they had Sony Servers frozen up in a denial of service...
I could be wrong.. but from my understanding
Denial of service isn't selective.. it deny's service to everybody.. including would be hackers?
Ye thats what i don't understand, if those server where overloaded, how could you even steal something from it such as a huge database? My only logical explanation is that database was just siting there free to take from anyone that could have pass their first protection. And honestly Anonymous got nothing from this in fact but bad naming, the vulnerabilty of SOE security in fact is as bad for anonymous as it is for Sony...
The people that really have to pay the consequences of all this crap are the customer that have their info in the wild.
If you have any information that this was indeed the work of Anonymous or some other hackers, then lets hear it. I'll gladly join arms with you and chant for them to be burned at the metaphorical stake, because that is what they deserve.
Regardless of your views of anonymous for their past actions, based on the information available, they did not do this. Even if somehow they did, it doesn't absolve Sony for their multiple security failures.
I never once said that they did this. What they did do was make it possible for the hackers who did do this to steal from Sony without their security detecing it becaue they had Sony Servers frozen up in a denial of service...
So with this note I will leave this thought if Sony is guilty then Anonymous is just as guilty for their actions which allowed the denial of service to where their security system did not read whoever did this abominable crime period.
The only one who has ever said there was a denial of service attack during this time was Sony. As far as I know no one else has mentioned it, including their customers.
The attacks on the PSN/SOE servers took place between April 17th and April 19th. Sony servers did not come down until April 20th.
As far as I know there was no DOS attack on the PSN/SOE servers between April 17th and 19th and everything was running just fine. Anonymous stopped their DOS attacks on April 7th stating they were only hurting Sony customers and not Sony.
Everything about the DOS attack and any connection to Anonymous feels more like a smokescreen trying to shift blame to someone else, because Sony needs someone to blame.
Comments
While I dont disagree, you will find a lot of surprisingly large companies do not do that, or even hire people to do that for them particularly since the GFC. Since the GFC most companies have put less into IT infrastructure which means there are cutbaks somewhere. Companies that do actually do this simply DO NOT do it often enough. Hell some of the worlds major banks are in a very precarious position security wise and trust me when I say they get breached or at least partially compromised regularly and often it takes months for them to work it out or a customer has to complain about something untoward.
I often think that if it wasnt for Visa/Mastercard and the other major credit instituions forcing banks to upgrade various aspects of their security so they can remain agents of these credit companies that a whole lot less would be gettign done. By now all banks should be issuing only cards with the unique CHIP's embedded in them to prevent card cloning and also issuing customers with the physical electronic security chit/key thing for online banking security.
But yes I am less than impressed that my personal information (I dont use PSN for purchases) is now floating around the net.
Actually there is some pretty decent hardware and of course software out there to do this for you and you set tolerances for it to report discrepancies or aberation on to someone.
It can be done but again there is a cost, there is time and of course in a massive network there would need to be a major infrastructure change so that customer connection/service does not change in any way when monitoring all traffic (which does have an impact on things like speed)
Nothing is foolproof though and as always a system is only as strong as its weakest link (which is most often the users/sysadmins).
I'm sure its more complicated than staring at a pressure dial at a power plant..
but the concept is the same... a person to monitor for large irregularities.. like say downloading 77 million peoples account information
I myself have even recently changed banks. Yes I went so far as to do that because I heard that my institution was not signed up for and did not support the new mastercard securecode and never offered me Visa verified and I did not feel like they took my security serious enough considering even though my card information did not get out that with the information tha did it was time to move where they cared more about my secuirty then how much their custumers had in their accounts.
The way I look at it is that it is time to use my common street smarts as well as common sense since we seem to be getting the same kind of criminals online now.
Sorry for my short, not much explaining reply but I am currently a bit busy and do not have enough time that proper reply would deserve.
What you talk about is tens or hundreds thousands of connections and events at any given time. It's so much information that at the end there is nothing to see.
Human factor plays a different role here - it's not there to monitor the traffic but manage devices and software watching the network traffic. It's very complex as security of the network has different layers and aspects.
What network monitoring is about is setting sophisticated set of filters, rules and profiles on your security devices and software. That applies to firewalls that watch the inbound traffic and IP/DS (Intrusion Prevention and/or Detection System) that use highly sophisticated methods - such as statistical irregularities, to monitor not the connection but events within the system. If there is a behavior corresponding with a profile of malicious or unauthorized activity, action is taken automatically and/or personnel is notified.
Even if you use all those systems, it boils down to nature of the intrusion.
I personally like the concept of firewall-free systems because like in saying:
The best block is not to be there.
But that is whole another story...
I already quoted and linked the information, but here you go one more time. Feel free to ignore or rationalize it however you want.
http://www.wired.com/threatlevel/2011/04/trixter/
Sony chief information officer, Shinji Hasejima said "The vulnerability of the network was a known vulnerability, one known of in the world. But Sony was not aware of it... was not convinced of it. We are now trying to improve aspects of it."
If Sony firewalls and security were up to date, then there would be no known vulnerability to be exploited. One sort of makes the other impossible. Sony flat out admitted that it was a known vulnerability that was exploited. An exploit that the rest of the world knew about.
A lot of databases were compromised by the intruders. There was far to much information in clear text. Even beyond passwords.
Read the Sony statements really carefully and tell me if they don't leave loopholes open.
Sonys chief information officer admitted that the hackers got in through a known exploit. One that was patched away by the rest of the world. If the Sony servers had a known exploit vulnerable that means they were not up to date, agreed?
There are also several reports prior to the hacking of people probing the PSN network and discovering a variety of different patch levels on their exposed web servers.
As for the google tests, there are thousands of servers running at the PSN. Did they test them all? Are all the PSN servers even logged at that site? I did read the bitmob piece and thought it had a lot of unanswered questions and leaps in logic to reach a conclusion.
In conclusion, people were saying the PSN servers were not up to date and the mechanisms protecting the network were lackings. Sonys chief information officer admits there servers were running known vulnerabilities. At this point it really isn't rumor anymore and some guy doing google searches really doesn't disprove that.
No. That is your invalid assumption only.
Still trying to argue that the Sony network was secure I see.
One the one hand we have your one liners, unrelated classroom theories and gross generalization.
On the other hand we have admission from Sony, Congressional testimony, Hackers pointing out the unpatched nature of the servers months ago and that actual breach of the entire PSN/SOE network through the previously mention known vulnerabilities.
Just because you say it is invalid, doesn't make it so. Especially when that is all you have to reinforce your claims.
Ok where in that statement did it say that the REST of the world knew about this vulnerability? All it says is known of the world not by the REST of the world therefore you are putting words into their mouths and spreading rumors.
Just because a statement says something is known of the world does not mean the entire world. I think what they we trying to get at in this statement is that there were some people who knew of this vulnerability not everyone and that is how this hack happened in the first place. And i guarantee you if EVERYONE in the world knew about it Sony would have too. And so would have obviously the makers and would have fixed this problem and some vulnerabilities I am sure were made obvious when the guy that they sued hacked into his machine and changed a legally pantented piece of hardware. Which in turn could have compromised Sony.
Pantenting has ALWAYS been something that legally protects something that someone invented from being changed. SO all of you out there defending this hacker think about if you had invented something and sold it, this item being patented and then as soon as the public got a hold of it decided that they were just going to change things in your invention after you spending years on making it the way it was. People just do not seem to get what it means when you change coding and such into a patented thing. It is no different than taking an artist's painting or an author's book and starting to paint or rewrite over and mess up the original painting or book which in turn makes that painting worthless. Would you all do that? Heck no because you would not be able to ever resell that painting for 10 of thousands of $s would you? Or millions depending on what it is worth. And you would never do it to a book because it is ilegal I believe it is called Plagarism. To use something that someone else wrote and try to change some of it but copy other parts.
This is what people do not seem to understand in this situation is that he weakened their system in the first place. And then Anonomous decides to take revenge on Sony JUST Like they did last year on Mastercard and Visa and cause a denial of service and guess what.... That denial of service had Mastercard and Visa both froze up for hours. So while Anonymous was doing this and the system was frozen up the people who stole our personal information and the system was not able to read this second hack due to this denial of service.
This is what the 8 page letter to the courts said from Sony was what I said above.
No I am not saying that this is ironclad or anything this is what I derived at after researching and reading everything I could about prior hacks and read about that. This is just my thoughts on this.
ehh There can be a known vulnerability that the software makers haven't patched yet...
but I don't think thats an excuse to not devise a means to monitor those vulnerabilities.
Hire somebody who is capable of monitoring the network outside of "Oh well i installed the latest firewall software herp"
I think the point here is that Sony decided to save some money on network security rather than using the billions they have to implement a system impenatrable by low budget hackers (comparatively, Sony has more money than these hackers do).
Most people go through life pretending to be a boss. I go through life pretending I'm not.
To find out if this was anonymous or not, all you have to do is go and ask them. They won't lie to you.
IT IS NOT ANONYMOUS. I don't know what IRC room they heard this in but it wasn't anonymous saying. It's quite possible they use anonymous IRC servers to talk though, as anyone and everyone is welcome to chat on them as long as they are anonymous while doing so.
It is not anonymous' message to steal things or hurt the everyday man. Anonymous fights for freedom of speech, and against the lies of scientology. This is clearly niether.
Akaronia I believe you might have the wrong idea about a patent?
A patent protects an idea, concept, or physical item based on its design. The intent is that the patent owner desrves credit for his idea/design. Now if you buy a patented item, you physically bought the item and are able to do what you wish with that particular item. You own it. If you want to change it, or draw in the book with a marker, or go crazy "Office Space" with it in a field somewhere you can do that because you own that physical piece you bought. But you can't change something and then resell it, or market it, or do anything outside of own it with out written permision of the original owner. You can't reproduce the item in any form, you are only allowed to use the pyhsical Item you own in any legal way you see fit.
Now if the hacker who moddified his PS3 to do something unintended on the PS3 network, or go beyond just the physical limits of his personal PS3 then there might be legal issues. I'm not fimilar with the case, only ever over heard comments about it. Moddifying a console you physically own is as far as I know legal, but doing it as a service for a unit you don't own is illegal, also the moment you use a moddified system on the PSN you cross into an illegal area of use. As I'm sure their TOS cover that kind of thing.
The big problem is that its easy to use law on something that is physical, but once you step into the world of ideas, and cyber space, legal issues are much harder to protect/understand for both parties, especially the general public if they are brought into a court case.
In the worlds of my Technology Deprived Grandmother. "Global warming is caused by space ships pokeing holes in the atmosphere and letting the heat of the sun into our skies".....ugh....
Sony said it had a known exploit live and that is how the hackers got in. Hackers and security experts have all stated that the Sony servers were not properly patches or isolated from the internet.
You can squabble if the rest of the entire world knew it or it was well known enough that it was already patched. The end result is just the same. Sony servers were not properly secured and the CIO admits as much in his statement. 2 points to him for actually being honest.
It wasn't anonymous, Sony was stupid and the hackers are not being glorified.
Ah finally someone teaches them a lesson after what SoE pulled with the NGE
If you are interested in subscription or PCU numbers for MMORPG's, check out my site :
http://mmodata.blogspot.be/
Favorite MMORPG's : DAoC pre ToA-NF, SWG Pre CU-NGE, EVE Online
I'm not saying the servers firewall's were out of date.. or if they were up to date.. I don't know
what i do know is some sony employees told that purdue professor some gossip that they weren't so it seems plausible.
For the sake of argument.. even if the servers were out of date.. Sony would never reveal that information.. they would use political clout to steer politicians away from criminal negligence and move toward a civil settlement.
Sony has admitted it was a known vulnerability.. but I haven't seen them yet admit the servers were out of date.
Ye i think thats the all point of that affair, somehow sony managed to make their potent go outside the usual limit potent have, is it just to protect their product or to be able to sue such hacker as that young 17 years old that hacked the PSN, i don't know, most certainly both.
http://www.qj.net/ps3/news/anonymous-reveals-demands-for-sony.html
SO this just amazes me as to how nawadays we protect and defend vigilantes who hacked into our credit card companies because our credit card companies were protecting our security by denying a service to a compnay because they found them to be doing ilegal things?????
And guys I don't care what Anonymous says in any book they are criminals and you can not believe anything a criminal says while they are still in denial that they are infact a criminal. Now after the fact that they have reformed maybe they become honest in what they say. But the fact is here Anonymous is in denial that they do anything wrong even though they are vigilante criminal minds who think they can be Robin Hood!!!!!!!! So ask me to believe them again. I dare you.
You really think that even if someone in their organization was involved in this without them knowing at the time then when they found out they would not protect them? I have news criminals protect one another period and especially if there is any kind of connection clouding their judgement.
It is the same as an alcoholic that is in denial of his disease. No different until he is reformed from that disease or in remission. Until you have actually interacted with enough criminals in denial you may not know this. No I am not saying they can not get out of denial and hopefully someday be upstanding citizens who are actually helpful in our comminuty as whole but as long as they are in denial of their problem you can not believe anything they say.
Also go here and find out exactly what a patent is and what it requires to be pantented http://topics.law.cornell.edu/wex/Patent
Akaronia
If you have any information that this was indeed the work of Anonymous or some other hackers, then lets hear it. I'll gladly join arms with you and chant for them to be burned at the metaphorical stake, because that is what they deserve.
Regardless of your views of anonymous for their past actions, based on the information available, they did not do this. Even if somehow they did, it doesn't absolve Sony for their multiple security failures.
I never once said that they did this. What they did do was make it possible for the hackers who did do this to steal from Sony without their security detecing it becaue they had Sony Servers frozen up in a denial of service...
So with this note I will leave this thought if Sony is guilty then Anonymous is just as guilty for their actions which allowed the denial of service to where their security system did not read whoever did this abominable crime period.
I could be wrong.. but from my understanding
Denial of service isn't selective.. it deny's service to everybody.. including would be hackers?
Ye thats what i don't understand, if those server where overloaded, how could you even steal something from it such as a huge database? My only logical explanation is that database was just siting there free to take from anyone that could have pass their first protection. And honestly Anonymous got nothing from this in fact but bad naming, the vulnerabilty of SOE security in fact is as bad for anonymous as it is for Sony...
The people that really have to pay the consequences of all this crap are the customer that have their info in the wild.
The only one who has ever said there was a denial of service attack during this time was Sony. As far as I know no one else has mentioned it, including their customers.
The attacks on the PSN/SOE servers took place between April 17th and April 19th. Sony servers did not come down until April 20th.
As far as I know there was no DOS attack on the PSN/SOE servers between April 17th and 19th and everything was running just fine. Anonymous stopped their DOS attacks on April 7th stating they were only hurting Sony customers and not Sony.
Everything about the DOS attack and any connection to Anonymous feels more like a smokescreen trying to shift blame to someone else, because Sony needs someone to blame.